- From: Mike West <mkwst@google.com>
- Date: Mon, 3 Nov 2014 14:59:35 +0100
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cjkkg+oaJ_484X4Cc_z3n0phVjQSmAzXrH75Ac=R77fg@mail.gmail.com>
On Mon, Nov 3, 2014 at 2:54 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 11/3/14, 8:43 AM, Mike West wrote: > >> I think of it as a pure virtual interface which SecurityPolicySourceURL, >> SecurityPolicySourceHash, and SecurityPolicySourceNonce implement. I >> suppose this doesn't actually require marking it as NoInterfaceObject, >> however. >> > > What's the point of such a pure virtual interface, exactly? What are the > use cases? > The policy `script-src https://example.com 'sha256-...' 'nonce-...'` has three source expressions. It seems reasonable to treat them all as "expressions" that support "match()" operations for the purposes of the `sources` attribute. It would be good to be able to walk through the list with a `forEach` in order to determine whether a specific Request or Node matched an item in the list. Exposing an array of "stuff" seems like a poor way to model this data set. > It's very unlikely that you want this to be NoInterfaceObject. You either > don't want such an interface at all, or you want it to have a sane > constructor object with a prototype object hanging off it and all that. Agreed. Thanks for pointing this out. > Those are arrays only because Bikeshed is rejecting >> `sequence<SecurityPolicySource>`. >> > > Yeah, we need to finally fix https://www.w3.org/Bugs/ > Public/show_bug.cgi?id=23682 and update Bikeshed accordingly... I am all for someone who knows what they're doing doing that. ;) -mike
Received on Monday, 3 November 2014 14:00:23 UTC